Last updated: July 10, 2026
The controller within the meaning of the GDPR is:
Alexander Burkhard, Münsterlandstraße 68, 10317 Berlin, Germany
Contact: [email protected]
We have not appointed a data protection officer because our number of employees does not reach the threshold under § 38 BDSG.
Under Art. 9(1) GDPR this data constitutes a special category of personal data and is processed solely on the basis of your explicit consent (Art. 9(2)(a) GDPR).
Payment processing itself runs exclusively via Apple. We receive neither your payment-method data nor your billing status.
When an authorized administrator (currently exclusively the controller) accesses or modifies your account, health or chat data in the course of support, abuse prevention or security audits, we log this access (time, affected account, action taken). This serves the purpose of evidence and accountability under Art. 32 GDPR.
To provide the service we use the following processors and third-party services. Data processing agreements pursuant to Art. 28 GDPR have been concluded with all of them, where applicable.
@dumbcalories.app addresses (e.g. support@, hello@) including sender address and content. An EU Commission adequacy decision exists for Switzerland, so transfers there require no additional safeguards.Several of the providers named above are based in the USA. Where personal data is transferred there, this is done on the basis of the EU-US Data Privacy Framework, provided the provider is certified, otherwise on the basis of the Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR including supplementary measures.
For users in Switzerland, transfers to the USA are based on the Swiss-U.S. Data Privacy Framework where the provider is certified, otherwise on the Standard Contractual Clauses recognized by the Swiss supervisory authority (FDPIC).
For users in the United Kingdom, transfers to the USA are based on the UK Extension to the EU-U.S. Data Privacy Framework ("UK-U.S. Data Bridge") where the provider is certified, otherwise on the UK International Data Transfer Agreement (IDTA) or its Addendum.
On our public pages (home, /foods, /blog) we collect anonymous, aggregated usage statistics without cookies and without storing anything on your device (unless you actively opt out of analytics via ?noph=1, which we remember via a single local flag). No cross-device identifier is set and a session is never linked beyond the page visit. Processing is EU-hosted via PostHog. Personalised in-app analytics remain separate and run only with your consent in Settings.
The nutrition assistant is powered by Google Gemini, a generative AI model. Your chat inputs (text, photo, audio) are transmitted to the Gemini API to generate a response. The AI does not replace medical or nutritional advice; its outputs may be incorrect.
No training on user data: we use Gemini exclusively via the paid API. Google has contractually undertaken not to use your inputs or the generated responses to train or improve its models.
If you enable the HealthKit integration in the iOS app, the app reads calories burned (active energy) and weight values from Apple Health on your device and sends them to our servers for display in the daily overview. Apple Health data leaves your device only through this explicit activation. You can revoke the permission at any time in the iOS settings. Processing takes place within Apple's HealthKit policies: HealthKit data is not used for advertising and is not shared with third parties that are not processors within the scope of our service.
When you log in with Apple or Google, the respective provider transmits to us only a stable identifier („sub“), your email address and (with Apple, once) your full name. We store the „sub“ to reliably recognize you on future logins. With Apple we additionally store a Fernet-encrypted refresh token that allows us to dissolve your link with Apple in the event of account deletion.
We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. The AI responses are supportive recommendations with no legally binding character.
You have the right at any time to:
For questions about these rights or to exercise them: [email protected].
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for our seat is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59–61, 10555 Berlin, www.datenschutz-berlin.de.
For users resident in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP / revDSG, in force since 1 September 2023) applies in addition. Our GDPR-aligned processing meets its requirements in substance; the data-subject rights described in this policy (access, rectification, erasure) apply equally under the revFADP. The competent Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, www.edoeb.admin.ch.
For users resident in the United Kingdom, the UK GDPR and the Data Protection Act 2018 apply in addition. Our GDPR-aligned processing meets their requirements in substance; the data-subject rights described in this policy apply equally. The competent supervisory authority for UK users is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, ico.org.uk. Where we transfer UK personal data to the United States, we rely on the UK Extension to the EU-U.S. Data Privacy Framework ("UK-U.S. Data Bridge") for certified recipients, otherwise on the UK International Data Transfer Agreement (IDTA) or Addendum.
For users resident in New Zealand, the Privacy Act 2020 and its Information Privacy Principles apply in addition. Our processing meets its requirements in substance; the data-subject rights described in this policy (access, correction, deletion) apply equally. Our privacy officer for the purposes of the Act is Alexander Burkhard ([email protected]). The competent authority is the Office of the Privacy Commissioner (OPC), www.privacy.org.nz. Where we disclose personal information to providers outside New Zealand, we ensure comparable safeguards consistent with Information Privacy Principle 12.
For users resident in the United States, the following applies in addition. We do not sell your personal information, and we do not share it for cross-context behavioral advertising — the service shows no ads and contains no advertising trackers. We treat health and nutrition data as sensitive personal information within the meaning of the California Consumer Privacy Act (CCPA/CPRA): we use it exclusively to provide the service you request, and not to infer characteristics about you for other purposes. Even where the applicability thresholds of individual US state privacy laws are not met, we extend their core rights — to know/access, correct, delete and port your data, without discrimination for exercising them — to all US users, as described in section 12. Requests: [email protected].
For consumers in Washington and Nevada, our separate Consumer Health Data Privacy Policy describes the consumer health data we process and the rights granted by the Washington My Health My Data Act (chapter 19.373 RCW) and Nevada's consumer health data law (SB 370, 2023), including withdrawal of consent, deletion and appeals.
We reserve the right to adapt this Privacy Policy to changed legal or technical conditions. The current version is always available here; we will announce material changes with reasonable notice.